{"id":15808,"date":"2026-02-16T08:05:17","date_gmt":"2026-02-16T08:05:17","guid":{"rendered":"https:\/\/newestek.com\/?p=15808"},"modified":"2026-02-16T08:05:17","modified_gmt":"2026-02-16T08:05:17","slug":"ciso-julie-chatman-wants-to-help-you-take-control-of-your-security-leadership-role","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15808","title":{"rendered":"CISO Julie Chatman wants to help you take control of your security leadership role"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Julie Chatman never planned to get into cybersecurity. In fact, she believes most don\u2019t but are mentored into it, as she was.<\/p>\n

Chatman started her professional career as a Navy Hospital Corpsman, specializing in medical laboratory science and technology \u2014 a core part of medical diagnostics. \u201cI analyzed blood work, monitoring quality control, ensuring accuracy in life-or-death results. That precision and systems thinking translates directly to how I approach cybersecurity today,\u201d she tells CSO.<\/p>\n

After three US Navy enlistments, Chatman joined the FBI as a budget analyst for the Office of the CIO. \u201cBudget analysis wasn\u2019t my end goal, but it taught me how technology investments get made in large organizations,\u201d she says. \u201cI learned the language of ROI, risk, and resource allocation \u2014 all critical for cybersecurity leadership.\u201d<\/p>\n

That foundation proved valuable when a senior leader tapped her for a high-stakes project: digitizing the FBI\u2019s paper-based classified informant files.<\/p>\n

\u201cThe FBI ran on paper with more than 50 field offices, more than 20 legal attach\u00e9 offices, and multiple covert sites worldwide,\u201d Chatman explains. \u201cWe had to implement the agency\u2019s first role-based access controls, PKI infrastructure, and digital signatures while managing change across thousands of personnel who\u2019d never worked this way before.\u201d<\/p>\n

The project combined enterprise cybersecurity, organizational change management, and operational security on a massive scale. Its success opened doors to progressively senior roles, ultimately leading to her position as a cybersecurity and risk leader within the FBI.<\/p>\n

From the FBI, Chatman moved into strategic advisory roles with Deloitte, GSK, and McKinsey, where she led cybersecurity transformations for Fortune 100 companies, advised on multi-billion-dollar corporate demergers, and authored foundational crisis management frameworks. She has since served as CISO for healthcare and federal contractors, and now runs ResilientTech Advisors, a cybersecurity consulting firm. Throughout her career, she has prioritized mentoring emerging cybersecurity professionals.<\/p>\n

CSO spoke to Julie Chatman<\/a> about how the CISO role is changing and how security leaders can navigate challenges specific to the role. Following is that conversation, edited for length and clarity.<\/p>\n

What are some of the challenges CISOs or cybersecurity leaders are facing today?<\/strong><\/p>\n

Chatman:<\/strong> There are a couple of challenges \u2014 some old, some new.<\/p>\n

The old challenge is getting people to understand that security matters. And when I say people, I mean colleagues, C-level leaders, everyone in your environment. Security often feels like friction, it gets in the way of getting work done. People will work around things that slow them down, including security controls. That\u2019s the fundamental tension.<\/p>\n

The second challenge is funding. Because of that first challenge, leaders often don\u2019t see cybersecurity budget requests as necessary until something goes wrong.<\/p>\n

The third challenge is modern: AI-enabled adaptive attacks<\/a>. We\u2019ve always had emerging technology, but AI is different because it can mimic human intelligence to some extent. Now we\u2019re dealing with attacks that change their behavior based on who they\u2019re targeting. No one planned for that.<\/p>\n

And then there\u2019s personal liability<\/a>. In a few high-profile cases, security leaders have faced criminal charges<\/a> for how they handled breach disclosures, and civil enforcement for how they reported risks to investors and regulators. The trend is toward holding CISOs personally accountable for governance and disclosure decisions. But here\u2019s the problem: CISOs often don\u2019t have the authority to match that accountability<\/a>. You tell leadership, \u2018We need this control\u2019 and you\u2019re told to stop asking. Then something happens. Guess who gets blamed? CISO can also mean chief scapegoat.<\/p>\n

It\u2019s getting harder to convince younger people to sign up for this job.<\/p>\n

Are you seeing that happen? Have you noticed people avoiding the job or just being afraid because of these recent cases?<\/strong><\/p>\n

Chatman: <\/strong>Yes, absolutely. There are other ways to make money without this level of stress and exposure.<\/p>\n

Think about the typical setup: You\u2019re a C-level executive, but you report to another C-level who controls your budget. They have D&O [directors and officers] insurance coverage. You might not<\/a>. They cut your cybersecurity budget. Then when there\u2019s a breach, they blame you and you\u2019re personally exposed while they\u2019re protected.<\/p>\n

Who would sign up for that?<\/p>\n

The role is becoming less attractive<\/a>. You\u2019re seeing the rise of fractional CISOs, virtual CISOs, heads of IT security instead of full CISO titles. It\u2019s a lot harder to hold a fractional CISO personally liable. This is relatively new. The liability conversation really intensified after some high-profile enforcement actions, and now we\u2019re seeing the market respond.<\/p>\n

What can the cybersecurity industry do to fight the liability trend we\u2019re seeing?<\/strong><\/p>\n

Chatman: <\/strong>There are advocacy groups pushing back, but realistically, if regulators want to hold people liable, they will. So maybe it\u2019s less about fighting the trend and more about navigating it as an individual \u2014 at least for now.<\/p>\n

First, negotiate protection upfront. When you\u2019re thinking about accepting a CISO role, explicitly ask about D&O insurance coverage<\/a>. If the CISO is not considered a director or an officer of the company and can\u2019t be given D&O coverage, will the company subsidize individual coverage? There are companies now selling CISO-specific policies. Make this part of your compensation negotiation.<\/p>\n

Second, do your job well but understand the paradox. Sometimes when you do your job properly, you\u2019re labeled \u2018the office of no,\u2019 you\u2019re seen as \u2018difficult,\u2019 and you last 18 months. It\u2019s a catch-22.<\/p>\n

Real liability protection is changing how your organization thinks about risk ownership. Most organizations don\u2019t have a unified view of risk or the vocabulary to discuss it properly. If you can advance that as a CISO, you can help the business understand that risk is theirs to accept, not yours.<\/p>\n

Here\u2019s what that looks like in practice: Someone says, \u2018I don\u2019t want to implement this control; it\u2019s too expensive.\u2019 That\u2019s fine but someone has to formally accept that risk. And it\u2019s not you. It\u2019s the business owner, the data owner, the product owner. Document it in your GRC tool, create a process, get sign-off.<\/p>\n

I see CISOs get in trouble when they take on risk that doesn\u2019t belong to them. They act like they have veto power. They say, \u2018I\u2019m blocking this\u2019 or \u2018You can\u2019t do that.\u2019 That puts them in the position of accepting risk that isn\u2019t theirs to accept.<\/p>\n

Instead, say: \u2018We have a risk appetite and risk tolerance. This decision falls outside those parameters. I need you to formally accept this risk.\u2019 That\u2019s a conversation. You\u2019re not telling them no; you\u2019re asking them to own their choice.<\/p>\n

But this requires a culture shift in the cybersecurity community. A lot of us aren\u2019t used to being heard, so we just talk louder. That\u2019s not business leadership.<\/p>\n

Every CISO needs to remember they\u2019re a business leader first. That means thinking about ROI, operational friction, and production impact. No more \u2018we need to do this because it\u2019s the right thing to do.\u2019 That\u2019s great in a movie, but you\u2019re running a business function. Businesses run on tradeoffs.<\/p>\n

How do you balance the organization\u2019s investment in cyber with the needs to protect the business?<\/strong><\/p>\n

Chatman: <\/strong>It depends on how much voice you have as the CISO. In some organizations, the CISO has no seat at the table. The CIO and other C-levels make budget decisions behind closed doors, then the CIO tells you what you\u2019re getting. But regardless of your organization structure, the best practice is to articulate value in a way stakeholders can receive it. And before you even get to budget conversations, establish yourself as a partner, not just a cost center.<\/p>\n

One thing I do when joining an organization is audit the existing tools. Are we paying for things we don\u2019t use? Are we double-paying for overlapping capabilities? I can usually find a couple hundred thousand dollars in savings pretty quickly. That makes you friends in the CFO\u2019s office fast.<\/p>\n

When it comes to the budget, be honest about what you need and transparent about what happens if you don\u2019t get it. I also recommend building three versions of your budget:<\/p>\n